Channels

Services

Exploit for local Linux kernel bug in circulation - Update

Back in April, the Linux kernel developers fixed an incorrectly declared pointer in the Linux kernel. However, it appears that they overlooked the potential security implications of such a bug – particularly the fact that it is possible to gain access to almost any memory area using a suitable event_id. The developers only got into gear and declared the bug as an official security hole (CVE-2013-2094) after an exploit was released that proves that normal, logged-in users can gain root access this way.

The bug affects any kernel version between 2.6.37 and 3.8.9 that was compiled using the PERF_EVENTS option; apparently, this is the case with many distributions. Which exact distributions are affected will hopefully soon become clear when the relevant security updates are released. Linux security expert Brad Spengler has released a detailed exploit analysis.

Update 16-05-13 10:12:

The Ubuntu Security Team has closed the vulnerability with updates to Ubuntu 13.04, 12.10, 12.04 LTS and in the Hardware Enablement Kernel for Ubuntu 12.04 LTS which is based on the Ubuntu 12.10 kernel. The developers caution users that due to ABI changes in the kernel update, all third party modules installed with these kernels have to be recompiled and reinstalled. Users who use the linux-restricted-modules package will have to update this package as well, which will happen automatically on systems that include the standard kernel meta packages.

Red Hat says that Red Hat Enterprise Linux (RHEL) 4 and 5 are not affected by the problem. RHEL 6 and Red Hat Enterprise MRG 2 are affected and, until the company releases updates that fix the problem, Red Hat recommends mitigating the security risks and gives instructions how to do so on a page on its customer portal web site.

The Debian developers are also working to fix the problem. At the time of writing, Debian stable (Wheezy) and testing (Jessie) are both vulnerable to the exploit, Debian unstable (Sid) is not vulnerable. The fixed kernel package is available in the security update repository for Wheezy, however, and should be updated in the main distribution repository soon.